github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-07-05 19:47:53 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #2550 from devimc/topic/virtcontainers/noVFIOInGuest

Browse Source 
virtcontainers: Don't create vfio devices in the guest
This commit is contained in:
Julio Montes 2020-03-24 09:39:23 -06:00 committed by GitHub
commit 213f5dbaf5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 30 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
virtcontainers/kata_agent.go
View File

@ -51,6 +51,9 @@ const (
// KataLocalDevType creates a local directory inside the VM for sharing files between // KataLocalDevType creates a local directory inside the VM for sharing files between
// containers. // containers.
KataLocalDevType = "local" KataLocalDevType = "local"
// path to vfio devices
vfioPath = "/dev/vfio/"
) )
var ( var (
@ -1067,6 +1070,18 @@ func (k *kataAgent) constraintGRPCSpec(grpcSpec *grpc.Spec, passSeccomp bool) {
} }
} }
grpcSpec.Linux.Namespaces = tmpNamespaces grpcSpec.Linux.Namespaces = tmpNamespaces
// VFIO char device shouldn't not appear in the guest,
// the device driver should handle it and determinate its group.
var linuxDevices []grpc.LinuxDevice
for _, dev := range grpcSpec.Linux.Devices {
if dev.Type == "c" && strings.HasPrefix(dev.Path, vfioPath) {
k.Logger().WithField("vfio-dev", dev.Path).Debug("removing vfio device from grpcSpec")
continue
}
linuxDevices = append(linuxDevices, dev)
}
grpcSpec.Linux.Devices = linuxDevices
} }
func (k *kataAgent) handleShm(grpcSpec *grpc.Spec, sandbox *Sandbox) { func (k *kataAgent) handleShm(grpcSpec *grpc.Spec, sandbox *Sandbox) {

16
virtcontainers/kata_agent_test.go
View File

@ -9,7 +9,6 @@ import (
"bufio" "bufio"
"context" "context"
"fmt" "fmt"
vcAnnotations "github.com/kata-containers/runtime/virtcontainers/pkg/annotations"
"io/ioutil" "io/ioutil"
"net" "net"
"os" "os"
@ -20,6 +19,8 @@ import (
"syscall" "syscall"
"testing" "testing"
vcAnnotations "github.com/kata-containers/runtime/virtcontainers/pkg/annotations"
gpb "github.com/gogo/protobuf/types" gpb "github.com/gogo/protobuf/types"
specs "github.com/opencontainers/runtime-spec/specs-go" specs "github.com/opencontainers/runtime-spec/specs-go"
"github.com/stretchr/testify/assert" "github.com/stretchr/testify/assert"
@ -611,6 +612,16 @@ func TestConstraintGRPCSpec(t *testing.T) {
Network: &pb.LinuxNetwork{}, Network: &pb.LinuxNetwork{},
}, },
CgroupsPath: "system.slice:foo:bar", CgroupsPath: "system.slice:foo:bar",
Devices: []pb.LinuxDevice{
{
Path: "/dev/vfio/1",
Type: "c",
},
{
Path: "/dev/vfio/2",
Type: "c",
},
},
}, },
Process: &pb.Process{ Process: &pb.Process{
SelinuxLabel: "foo", SelinuxLabel: "foo",
@ -641,6 +652,9 @@ func TestConstraintGRPCSpec(t *testing.T) {
// check cgroup path // check cgroup path
assert.Equal(expectedCgroupPath, g.Linux.CgroupsPath) assert.Equal(expectedCgroupPath, g.Linux.CgroupsPath)
// check Linux devices
assert.Empty(g.Linux.Devices)
} }
func TestHandleShm(t *testing.T) { func TestHandleShm(t *testing.T) {

2
virtcontainers/sandbox_test.go
View File

@ -675,8 +675,6 @@ func TestContainerStateSetFstype(t *testing.T) {
assert.Equal(cImpl.state.Fstype, newFstype) assert.Equal(cImpl.state.Fstype, newFstype)
} }
const vfioPath = "/dev/vfio/"
func TestSandboxAttachDevicesVFIO(t *testing.T) { func TestSandboxAttachDevicesVFIO(t *testing.T) {
tmpDir, err := ioutil.TempDir("", "") tmpDir, err := ioutil.TempDir("", "")
assert.Nil(t, err) assert.Nil(t, err)